I'm trying to figure out the correct way to restrict my Google Maps API keys to use in my flutterflow app. I use the following APIs:
- Places API: in the FF placepicker (and Google Map) widget
- DistanceMatrix API: as a FF custom API call (not private; not using Google Cloud Function)
- Geocode API: also as a FF custom API call (not private; not using Google Cloud Function)
I've three separate keys as FlutterFlow recommends:
I use the keys in this manner: all 3 keys are specified in the relevant input fields on the FF Google Maps Integration page.
This uses the appropriate keys for Places API and Google Map widget. For the custom API calls to DistanceMatrix and Geocode APIs, I just use the Browser Key (as it is currently unrestricted so not tied to any platform/application).
Now, I was asking for some help from the Google Support team and they recommended me to restrict my API keys using the following options:
So, I did the following:
- Restricted the iOS and Android keys to their corresponding platforms and restricted the browser key to these URLs
- https://*.run.app (since this was the referrer URL in the console when calling this API in test mode without using a proxy)
- https://*.herokuapp.com (this was the referrer URL in the console when calling this API in test mode with the FF proxy)
- https://*.flutterflow.io
- In my custom API calls, I'm now specifying the API key as a variable and passing it in the calling action with a conditional check of the platform (iOS, Android, Web).
However, this doesn't seem to work. Neither for the platform specific keys, nor for the browser one. I'm aware of the issue with the browser one: the website restriction is only allowed when the API is called directly from a website, preferably from the Google Maps Javascript SDK. So, the correct restriction for Test Mode would be to specify the IP address(es) from which the call can be made, however, that is not known to us, since it might not be static. For the platform specific restrictions, I'm clueless about why it doesn't work.
The simplest and safest solution I see to this is to just deploy these APIs as Cloud Function (using the Private API option in FF). That way, I can just use a single API key for all the requests, however the only issue I face with that is with the IP restrictions since, as per my understanding, Google Cloud (Run) functions do not have a static IP, rather I'd have to use some external service or as per this link the Google VPC service to do this.
Can someone confirm if this is the best way to do this or am I missing a simpler solution?
Tagging a few awesomely helpful people - Serge Middendorf, Pooja Bhaumik, Dimitar Klaturov.